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appendix b 

PRELIMINARY SPACE STATION CREW SAFETY THREAT LIST 

The threats listed here are generic In that each threat may have more 
than one possible cause. Further In this study, potential hazards will be 
developed P for these threats, allowing specific Identification of controlling 
safety criteria and guidelines. 

The scope of issues covered are threats that affect cr ® w health and 
being directly and threats that Impact the space station and Its ability to 
continue functioning. Sources of threats can be external to the space 
station crew initiated, space station hardware/software responsible, or 
generated by hardware/software and processes dedicated to space station 
experiments, payloads, and cargo. 

Design and operational guidelines eventually will have to be drawn up for 
the space station and Its dedicated crew equipment, for crew functions, as 
well as for carry-ons: experiments, payloads and cargo. 

FIRE 

A fire in an area containing subsystems equipment, electrical wiring, or 
l aboratory equipment, or in personnel areas which damages and puts out of 

^ uel f f iSJSlbl 1 1 ty? 1 ng f 

"NASA MSC Requi remenTT'for Materials and Processes \0SC-SE-00MB , through t e 

R2L8RS* 1 ^UTLraSSt*(S3rt.W pre-breathing areas), 
IMliMrltlJS Ertblmlwe to ensure that no Mt on sources 

are available and the contained materials are , n ®J .PgjSl? a fo^theOrblter 
mnrpntrations "Environment Requirements and Test Criteria tor tne uroner 

Vehicle" MFQ004-014C, cites maximum allowable surface temperatures in each of 
the compartments based on the potential fluid leaked Into the compartment. 
Fluid leaks are considered credible. Additionally, smoke/fire sensing 
supression could be Included in Damage Control design. 

LEAKAGE 

Leakage of any gas or liquid which is produced, stored, or i routed through 
the pressurized areas of Space Station volumes, including any chemicals used 
or that may be produced in experiments. The leakage may occur at any po 
through which the fluid is routed. Leakage rates must be assumed and 

increased margins and/or system make-up capability must J" C ]c d rHticai e to 
d5l5n. Selection of materials and seals for faying surfaces is critical to 
the life of the Space Station in orbit. Seal selection, expected life, 
condition at installation, and installation techniques determine leak 
susceptibility at all penetrations. 

TUMBLING/LOSS OF CONTROL 

Space Station attitude maintenance systems require at least 
fall -operational /fall safe capability. Consideration of a requirement for 
maintenance and returning the system to operable status should be given. 
Forces that may cause tumbling or loss of control, other than attitude 
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BIOLOGICAL OR TOXIC CONTAMINATION 

cont»?!lS“f C 1^1?'°^. «; toxic 

te’SMTs.'si.- iiiiZriu 5fei tt-v" 

also be assumed toxic; theiaUr* JoLw!? b lS K ter 1n connected tanks will 

S^ p v f j5rL^!r?r“>f »c&w^ r s^r the 

lS°9l V %n?age S ^ 

sr’vfS ■«? ra sr 2 - 

are 

«L±nS“:s 

INJURY/ILLNESS 

f ro^expl'odi ng tSZ o? 9 Jc«M 

by breathi ng JjyglJ 1 dlfiJielt^i ? "cajfa !j ouch J n 9 h0t or co1d surfaces, ald° 

ssriSSr * bk v. =’,:a:i! 

*5* °o r "t 0 ™? ^ h « r :-eo„d 

SflH 

srsisSS M s aarsa^ 

GRAZING/COLLISION 

c,„,e™y sSrT? u ™r?I?l S uI: te „ r ^ X s w ? n as external e,e ™"tt «»1 can be 
h ,“a,; “ y structural failure, procedural error or inadequate stowane and 

handling rationale. External threats can be caused by Orbi ter/OTV^or eva 

astronauts coming Into unplanned contact with the Space Station a 

2 r ,ch <r ** Vs & t . 

et^r t “” S a ““ U 

equipment Ca potent?ff e ^?i!°? ° f pr !?! ry structure but may damage exposed^ 
tSeRflned collision candidates must be identified and the specific 


CORROSION 


This threat concerns structural degradatlo of metallic and nonmo^mr 
equipment. Leakage of corrosive or reactive materials can degrade an 

Matin!!?*/ US6f i?!k?i S ? ant, /° r cause structural or mechanical failures. 

^ o1nts ot dissimilar metals :anjead to corrosion 
arrI!w^Hn ted t0 ‘ l ” ter ” a1 environment extremes of ten. -ature and humidity 
accelerating corrosion In carbon or most organic materials Examples of y 
corrosive processes Include stress corrosion, elertrolytSc corJSoI and 
polymerization. Causative agents Include acid, salts, solvents, halogens, 

processes. ^ 00 P r ° 9ram 15 set U P t0 screen against corrosive agents and 
MECHANICAL DAMAGE 

dama 9 e defined as being caused by collision inside the 

MS. ^ 

EXPLOSION 

compartment Mdrfii !" n !??! 0S i 0n ' the ltalM 9 e will be confined to one 
S3Ss An LS?2lIi overpressure, heat, shrapnel, and atmospheric 
. A11 equipment in the compartment may be damaged and made 
1' "SIS* '!?■“" !?? jraoc-plsted for protection. Violent rllease of eneroy as 
a result of equipment overpressurization, fire, chemical reaction exces*?vp 

for P exp?^ °r s J ruct ural failure are candidate causes 

ror explosion. For instance, an explosion of .025 lb TNT eauivaian* 

releasing 50 BTU of energy In the firm of heat! shock wavet Snd klSetlo and 

mSld a Ln^i1? y ? f Shrapne ' dima 3 e could be confined to one compartment and d 

S a F* -F ; 5sssr 

tne tnreat. Walls and primary structure, or eaulDment out^iHp th» 
compartment, would probably nit be damaged? (SSlHoulwn? whllh 

generators te iaser° S !t?' y }" c1ud ® s P um P s - ■«*»«. blowers, rocket motors, 

Satinn haMtlkif^. ? tc * *!! exc ) udln 9 equipment and materials from Space 

L5S 

» SKSSvsas; 

spn«7nn f ro " 1 ca t a str°ph 1 e penetrations. Guidelines concerning pressure 
£2212: rel ev1 "? and control, chemical screening to prevent use of Solent 
reagents, and system heat rejection are key elements controlling eJplwlon 

LOSS OF PRESSURIZATION 

. pressurization In a habitable volume may be caused bv an 

aira 3 L P S^ at1 ° n °I a f outside "all or bulkhead/ Pressure sensing, 

the k SDace Static 5Srh imply 5 he need J for a Damage Control System on-board 

tox1c1?rsens1nS wlth^ ^arfri?t?n^? m wou i d ] ncl “ de pressure, temperature and 
y sing with additional capability for smoke sensing and fire 
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suppression for each Isolatable compartment In the Space Station with primmary 
and P back-up readout panels located In separate Space Station a reas. lf 
conroartment size and criticality so Indicate, a need may exist for automatic 
control^of hatch actuation. Those design constraints are dependent upon 
assumed penetration size, size of each Isolatable volume, use frequency of the 
compartment and criticality of the adjacent compartments. 

RADIATION 

Radiation threats are associated with the exposure of the astronauts as 
well as equipment to Ionizing radiation, ultraviolet or infrared light, 
lasers, and electromagnetic or radio frequency radiation. £ ad1a 

threats mav be caused by leaking or inadequately shielded radioactive 
equipment^such as RTG's, particle accelerators, liquid metal heat exchan 9®^* 
etc. RF and electromagnetic radiation from RF generators can ?r dnance 

devices or interfere with the operation of critical equipment. Allowable 
feJels of elSh S^hese energies must be established, and design accommodation 
made to ensure that the Space Station astronauts and equipment are protected. 

OUT OF CONTROL IVA/EVA ASTRONAUT 

Loss of control of astronauts during IVA/EVA may be caused by 
malfunctioning maneuvering devices or lack of adequate handholds and other 
restraints. The Issue of aberrant astronaut actions causing a problem must be 

considered. Rapid rescue is required by a J^or ifalso 

conditioned to the suit atmosphere, who is waiting In an airlock or is ais 
naffnnninn fva nr iva Eauipment adequacy and redundancy could address the 
former Issue, the latter may require some physical restraint system, equlpmen 
or facility. 

INADVERTENT OPERATIONS 

Critical tasks and systems controls should be analyzed to assess the 
Impact of Inadvertent operations. Hardware can be protected by switch 
wickets, lever-locks, etc. Software can be protected by two or three 
“and"-ing requirements, as well as being protected from astronaut modification 
on-board. Recommendatons are for automating all routine functions, with 
manual work-arounds as required. 

LACK OF CREW COORDINATION 

Within the aviation industry - both civilian and j ta ^ e " ?^®l!! 1ence 

has shown that lack of crew coordination In times of crisis has almost 

Invariably resulted In catastrophe. Some crews' attention 

a-tr travel have occurred as a result of the entire crews awsnuvii 

being diverted to trouble shooting the problem affecting the airplane while no 

one nald attention to the ordinary chores of piloting and navigating the 

alrpfane. One major airline radically changed crew training and JJP9^ adin 9 

techniques to address this problem. Similar prob '}•■} cHtlcal 

coordination could arise In a Space Station. It Is important that critical 
routine functions be manned at all times, If not automated. This will allow 
•investigation of malfunctioning equipment by personnel " ot de ^® a f® d h *° 
routine, but essential , Space Station equipment. Crew tasks should be 
reviewed carefully with this potential problem In mind. 
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ABANDONMENT OF SPACE STATION 

There should be a passive capability of the Space Station to survive 
abandonment. A combination of accidents and/or subsystems degradation 
requiring the abandonment of the station by some or all of the occupying 
personnel Is considered here. Such abandonment will not be a time-critical 
emergency but a deliberate abandonment planned over a period of days to 
months. The worst design case Is when one of the separate pressure volumes 
has been evacuated and sealed off for some time because of major damage or 
contamination, and all personnel are In the remaining volume. If the cause 
for abandonment concerns the Inability of the station to support human 
habitation, the station should be able to maintain critical functions, such as 
attitude maintenance. A cause for abandonment could be loss of a breathable 
atmosphere. Critical avionic equipment should be able to function In the 
absence of an atmosphere. An Important task related to the above hazard, that 
was considered during this effort was the Escape and Rescue. The philosophy 
adopted with respect to escape and rescue Is stated below: 

Increased Reliability 


or Redundancy 

Preventive 


Built-In 

Damage Control 
Compartmental 1 zatl on 

Prevent! ve 


Built-In 

Improved Emergency 
Sensors 

Preventive 


Built-In 

On-Board Preventive 
Mai ntenance 

Preventive 


Built-In 

Abort Capability 

Remedial 


Built-In 

Personal Survival 
Equipment 

Remedl al 

Separate 

Built-In 

On-Board Repair 
Capability 

Remedi al 

Separate 

Built-In 

On-Board Medical Aid 

Remedl al 

Separate 

Built-In 

On-Board Emergency 
"RED" Systems 

Remedl al 

Separate 

Built-In 

"Buddy" Concept 
(Separate Type) 

Remedl al 

Separate 


On-Board Escape and Walt 

Remedl al 

Separate 


On-Board Escape and Return 

Remedial 

Separate 


Spare Earth Return Module 

Remedl al 

Separate 


Unmanned/Manned 
Assistance or Rescue 




Earth Launched 
(Post Emergency) 

Remedl al 

Separate 


"Pre-Deployed" 

Remedl al 

Separate 
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V9U 


ELECTRICAL SHOCK 

einnilf h ^ P ! r | 0 ?? e1, dur1ng , th ® n °rmal operations of equipment or due to 
failu [ e V r masked dual point failures, are exposed to 
electrically energized components, terminal strips, buss bars, s Lured charge 

aE8 a K a 5 US ‘ e ? c ;* that tbr0LI ? h a combination of electrical potential current 
anybody resistance would aflow a person's body to offer apatn fSr c5??ent 

9 I°U nd d !! d resu ] t 1n shock or electrocution, a hazard potential 
exists. A hazardous voltage or power source Is any potential source of power 

res? stance^contar t r1 ° U h< !*? oclt or b , urns or a fata l current, dependent upon body 
resistance, contact conditions, and path through the body (see table below) 

w ^ c * 1 J*® nses ° r controls critical control parameters of flight 
systems or Is reasonably capable of applying damaging electrical enerav to* 
supported systems Is classified as Safety Critical. e,ectncal e ^rgy to 


PROBABLE EFFECTS OF SHOCK 
Current Values (Mill lamps) 

AC 60HZ DC 


0-4 
4-15 
1 5-80* 
80-160* 
160-300* 
Over 300* 


Effects 

Percepti on 
Surpri se 
Reflex Action 
Muscular Inhibition 
Respiratory Block 
Usually Fatal 


0-1 
1-4 
4-21* 

21-40* 

40-100* 

Over 100* 

♦Serious Shock or Burns. 

METEOROID PENETRATION 

A fallout of space debris studies will have to be a probability of strike 

h!pn a cnfM^ ed n Slz ! 2! m ® teoro * d * Yhe potential impact of this threat has not 
been specifically defined at this time. However, basic assumptions should 

Hamano Sr h P °i'^ n K ia ^ m ® teoroi d penetration of the primary structure. Physical 
f?r!i °? dbe ® onfin ® d t0 one compartment and Is assumed to consis/of 
finely divided molten high-speed shrapnel (from spallation of the Inner wall). 

STORES/CONSUMABLES DEPLETION 

^n„^o nSU ? a ?]? S ^ b0t f fo r the s P ac ® stat1on as we11 a s for the astronauts, 
require establishing levels that account for leakage, spoilage, unexpected 
high consumption rates, etc. The key to establishing quantities Is 
*"£•»"» what survival time, without support from the ground Is required: 

shollld considered.’ ° r Wh “ ? Aut ° l " at1c '“-'"torylng of critical consumables 
INTRUSION/ATTACK 

Screening related literature indicates that 1ntra«crew member hostility 

highly ™u«?eVSnd'2X W* “ ha " ^ •tffioK’tSlS’Kl’Ku 

nigniy motivated and dedicated personnel are Included In crews cneriai 
screening of candidates win be required. This threat could be psychological 
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as well as physical. STS-5, and subsequent flights where more than two crew 
members are on board, will be watched closely as crew Interaction will be more 
complex. How to approach tne Impact of this threat: with sedation, by 
employing "Polaris Pajamas", by Isolating offending crew members, etc. - must 
be determined. Overt military action and external intrusion/attack Isa 
fallout of a space station survivability analysis and Is beyond the scope of 
this study. 

STRUCTURAL EROSION 

This issue has been observed in long lived spacecraft. Space debris and 
.ninutia progressively can erode metallic or non-metal 1c enclosures to 
£ SolTwhere ^llakage coLld occur. If the eroded skins allow fluid or gas 
containment systems to leak, undesirable spin/tumbling moments could be 
reacted Into the space station and/or consumables could oe lost o^oard. , 
This is a downstream "wear" Issue but appears to be real enough to address in 

the program. 


ORBIT DECAY 

Consumables needed to update orbital position or to Si Lf!?? 8 
of space station drag may become an Issue when large captive st ^tures are 
beina constructed prior to separation from the space station. Credibility of 
this 9 threat Is understood when one considers a fully operational space station 
In its planned working environment. This threat impacts consumable margins. 

LOSS OF ACCESS TO A HATCH 

The loss of access to any one hatch, door, or other personnel or cargo 
transfer opening because of jamming of the mechanism, either open close , 
or because of obstruction by cargo; or because of a localized hazard 
situation (fire chemical spillage, electrical hazard, etc.). 

Comoartmentation to allow access to "safe havens" requires a minimum of two 
ear^ss oaths from each habitable volume. Present space station design 
philosophy appears to provide this capability. Design drivers are hazards 
that destroy P compa rtment habitability and require survival workarounds. 

TEMPERATURE EXTREMES 

Ability of crew and equipment to function under va [] y1 'IS n J?'I P i ^ci^ice 
stresses needs to be considered. Emergencies such as the ° ^ervice 
Mndiiie tank exolosion may be postulated to determine tne credlbil ity of this 
Sreit ^Unexpecte^heat^ nputsf rom experiments/payloads/cargo need be 
addressed^ear^^toensure 1 the space station's ability to grow Into Its 
operational phase. This threat deals Indirectly with planned margins and 
absolute capabilities. 

DEBRIS 

The threat category of external debris excludes meteoroids and Is usually 
referred to as space garbage. Nominally, space debris, as opposed to 

meteoroids, would have lower closure rates allowing the ri P 0 ”l b l? O a P fllt e rs and 
collision avoidance. Internal debris, on the other hand, can c l °9 JlUers and 
dl recti v affect equipment operation and crew performance. The Orblter 
ex^rlenced clogged ffl ters due to lint, affecting air cooled avionics and 

overloading fan motors. 
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FREE-ORBIT 


Sri's 5“ SSSsSS^ai, 

tether, or the unexpected releacA n f work s ^ e * dr1ft throu 9b loss of 

Inadvertent detachment from local strurtu^A en f r 9y w ^j c ^ results In 

energy are: propulsive Pressure 6JSn^emblTleIkr r ?r?°T eS ° f Stored 
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Appendix C 
SPACE STATION 
CREW SAFETY CRITERIA 


These criteria were eclectically assembled from 
Industry space station studies beginning as early 
as 1968. Those criteria that were relevant to the 
current space station studies were carried forward, 
If not In detail, at least in intent. Reassessment 
of threats under Contract NASI -17242 evolved 
additional criteria that are Included. 


20 January 1984 
Rockwell International 
Space Transportation and 
Systems Group 
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SPACE STATION 
CREW SAFETY CRITERIA 


Rev. December IS, 1983 


DAMAGE TOLERANCE 

A-l No credible single space station failure, operational error or radio 
frequency signal should result In damage to space station or mission/ 
payload equipment or In the use of emergency equipment; some limited 
degradation In mission/payload accommodations, crew convenience/ 
comfort, or space station attitude or orbit may he allowed 

A-2 No credible combination of two space station failures, 

ml ssl on/payload equipment failures, operator errors, or radio 
frequency signals should result In the potential for crew Injury or 
permanent loss of the space station or primary mission/payload 
capability; Institution of emergency procedure/equipment may be 
necessary, but no hazardous operational level will be reached 

A-3 All subsystem/equipment critical to preservation of life and space 
station survival shall be fall -operational /fail -safe (excepting 
primary structure and pressure vessels) 

A-4 Fail -operational /fail -safe designed subsystems should allow 

maintenance to upgrade the subsystem/equipment without being degraded 
below fail-safe during the maintenance actions following the second 
failure 

A-5 Potentially rupturable containers should contain less material (gas, 
liquid, solid) than would cause unacceptable overpressure if all the 
material were released in a leakage, rupture or explosion 

A-6 Redundant accommodations for command and control of the space station 
shall be provided such that the primary control center has complete 
capability, but the backup control center will have, as a minimum, 
control of critical functions 

A-7 Design inhibits to prevent failure propagation from one 

volume /subsystem/component to another should be incorporated 

A-8 The space station should be designed and operated so that any damaged 
module can be isolated from the rest of the Station in TBD seconds, 
as required. Provisions shall be made for pressure isolation within 
the volumes. Modules should be equipped so that the crew can safely 
continue a degraded mission and take corrective action to either 
repair or replace the damaged module 

A-9 Any volume should be capable of sustaining the whole crew, and 

capability should be provided for performing critical functions at an 
emergency level until the crew can be rescued. Electrical and fluid 
lines in each pressure-1 sol atable volume required for critical 
functions should be protected against the effects of explosion, fire, 
vacuum, and corrosion 
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A-10 Capability should be provided for performing critical functions with 
a portion of a subsystem Inoperative for maintenance, and any 
| pressure-1 sol atable volume inactivated and not accessible 

| A-ll Redundant equipment, lines, cables, and utility runs, which are 

| critical for safety cf personnel or mission continuation, should 

! either be located and routed In separate compartments { 1 . e . , 

separated by a structural wall) or should be protected against fire, 
smoke, contamination, loss of pressure, overpressure, and shrapnel 

\ A-12 All walls, bulkheads, hatches and seals whose Integrity is required 

■ to maintain pressurization or atmospheric Isolation shall be readily 

f accessible for inspection and repair by crewmen In pressurized suits 

l 

[ A-13 As a design goal, Inspection, maintenance and repair of critical 

[ subsystems by shirt-sleeved crewmembers shall be accommodated. 


CREW PROTECTION 

B-l Provisions should be made for a safe haven within the space station, 

1 sol atable from the hazard capable of sustaining the crew for 21 days 
beyond normal resupply and allowing rescue by a Shuttle. Provisions 
shall be made to monitor the health of the remaining habitable 
modules from this safe haven 

3-2 Personnel protection from electrical shock, radiation, mechanical and 
themal hazards, should be provided 

B-3 Accessways between compartments should be sized such that an IVA/EVA- 
sulted crewman is allowed free passage 

B-4 Provisions shall be made for the protection and survival of the whole 
crew during solar storm activity as defined by the TBD design mission 
radiation model 

B-5 Personnel escape routes should be provided in all hazardous situations 

B-6 Provisions and habitable facilities should be adequate to sustain the 
entire crew for a minimum of 22 days during an emergency situation 
when damage repair is in progress 

B-7 Atmospheric stores and subsystem capability sufficient for two full 
repressurizations of each pressurized habitable volume should be 
maintained on/at the space station during manned operations 

B-8 Access to EYA and IVA airlock and suit statlon(s) should be provided 
for all credible emergency conditions. Airlock chamber(s) should be 
provided to permit crew access for EVA/I VA operations 

B-9 Two or more suited crewmen should participate In any pressure suit, 
activity and rescue provisions should be provided to allow safe 
return to space station, following the Incapacitation of any one 
crewman 

B-10 Real-time monitoring of the atmosphere constituents, Including 
harmful airborne trace contaminants and odors should be performed. 
Control shall be provided for each pressurized habitable volume 
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B-ll Two or more entry /egress paths should be provided to and from every 
module or pressure-1 sol atable volume. The two paths should be 
separated by airtight partitions, or shall be at least 10 feet apart, 
and should each lead to an area In which the crew can survive until 
escape, rescue or removal of the hazard 

B-12 Materials used In the habitable areas should not outgass toxic 
constituents In the lowest pressure environment and highest 
temperature to which they will be exposed 

B-13 All EVA and unpressurized compartment IVA should be conducted using 
the "buddy system", (tote: buddy system criteria can be met with 
suited crew to station exit In visual contact with subject.) The 
buddy system should also be used during shirtsleeve operations In 
hazardous areas 

B-14 A margin of consumables should be provided onboard, sufficient for 
performing critical functions for TBD hours at a reduced level 
following any credible accident which renders one pressure-isolatable 
compartment unavailable 

B-15 At least two egress paths should be available from each module for 
emergency egress of personnel during manned ground operations 

B-16 Emergency pressure suits required In the space station, sized to fit 
any crewman, should be in readily accessible locations within each 
pressure-isolatable volume 

B-17 Provisions should be made for emergency medical treatment of credible 
accidents and illnesses for durations compatible with the rescue 
provisions 

B-18 The safe environment and the safe operational status of activated 
subsystems within the space station should be verified prior to 
personnel entry, initially, and prior to reentry following temporary 
station abandonment 

B-19 Deployment and initiation of operations considered hazardous should 
be checked out from a safe location before exposing crewmen to the 
potential hazards 

B-20 Provision should be made for the return of a crewman incapacitated 
while performing EVA 

B-21 Provisions should be made for the detection, handling, containment 
and/or disposal of toxic, flammable, combustible and hazardous 
materl al s 

B-22 Pressurized volumes should have adequate free volume (not occupied by 
equipment) to allow crew freedom of movement to support long-duration 
habitation 

B-23 Hazardous or toxic fluid storage, conduits and Interconnects between 
modules should be external to the pressurized volume. Exceptions may 
be made for flammable but nontoxic gases where the maximum possible 
quantity released by a leak cannot result in a flammable mixture 
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B-24 Provisions should be made for detection and control of pathogenic 
agents onboard the space station using methods harmless to c rev/ and 
equipment 

B-25 Planned crew t*sks should be assessed Initially, for compliance 
Intent wltn TBD regulations before performing such tasks; and crew 
training provided for each specialized and/or hazardous task 

B-2G Provision should be made for handling Irrational crewmembers and the 
remains of deceased crewmembers 

B-27 The occupied compartment's acoustical noise environment should be 
within human tolerance noise exposure limitations, permit 
Intelligible auditory communications, have a minimum of pure tone or 
narrow frequency band(s), a minimum of Intermittent or discontinuous 
noises and a minimum of high-frequency noises. System and equipment 
design (Including subcontractors) should be accomplished from the 
outset to produce an acceptable noise environment. Desirably, the 
noise environment should meet NC TBD-or-lower noise contour for work 
periods and NC TBD-or-lower for sleep periods 

B-28 Any module designated as a safe haven shall be provided with an 

airlock chamber at the port assigned for orblter docking and rescue 
to allow crew transfer and rescue from a degraded and/or marginal 
safe haven. The rescue hatch shall provide for actuation from Inside 
or outside to accommodate contingencies 

B-29 Subsystems shall be designed to prevent Inadvertent or accidental 
activation or deactivation of functions or equipment that would be 
hazardous to personnel or the Space Station 

B-3Q Radiation doses that affect personnel safety must be considered from 
all sources, Including natural environment, external isotope and 
reactor sources (If any), electromagnetic, solar radiation and 
internally allowable radiation levels from experiments, processes and 
health maintenance/diagnostic equipment 

B-31 Exposed surfaces within habitable modules shall not exceed a 
temperature of 113 # F (with a design goal of 105°F) and a low 
temperature of no less than 40°F 

B-32 Except for contingencies, EVA shall not be used for hazardous 

operations or when a maneuvering spacecraft Is within the proximity 
operating zone (+5 nm) 


STATION INTEGRITY 


C-l Primary pressure structural materials should be nonflammable. 

Interior walls and secondary structure should be self -extinguishing 

C-2 Normally exposed nonmetal 11c materials should be self -extinguishing 
In the most severe oxidizing environment to which they will be 
exposed. Means shall be provided for fireproof storage of medical 
supplies, maintenance supplies, food, tissue, clothing, trash, and 
for other non-self-extinguishing items, when they are not In use 
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Potentially explosive containers, such as high pressure vessels or 
volatile gas storage containers, shall be placed outside of and as 
remotely as possible from personnel living and operating quarters. 
Wherever possible the containers should be Isolated and protected so 
that failure of one will not propagate to others 

Containment of all materials requiring return via the STS to prevent 
contamination of the space station environment should be provided to 
reduce the hazard of potential fire and toxic conditions 

Tank supports should be designed to restrain the tank under 
propulsive effect of rapidly escaping gas 

Design provisions should be incorporated to prevent uncontrollable 
J?£h opem ng due to pressure differentials, and to allow controlled 
closing of hatch openings with or against pressure differentials, for 
the worst care pressure differentials anticipated 

Equipment or materials sensitive to contamination should be handled 
m a controlled environment. Fluids and materials should be 
compatible with the combined environment in which they are employed 

Provisions should be made to allow communication between any and all 
1 sol atabl e/habitable volumes on a primary and backup basis 

Provisions should be made for material usage, identification and 
location mapping to allow real-time evaluation to determine adequate 
inspect! on/maintenance replacement frequencies 

C-10 Fluid or gaseous flow, such as pressure relief valves/exhausts, fuel 
transfer disconnects, etc., should be designed to prevent torquinq/ 
turning or undesirable translation motions to the space station 

C-ll All reaction control thrusting devices used primarily for altitude 
positioning of the spac.i station, and occasionally for velocity 
changes, should be located such that the exhaust plume does not 
impinge upon other structural elements such as solar cells, areas 

station" 9 EVA ,na1ntenance or other vehicles docking with the space 

C-12 Space station modules should be tumbled to rid them of internal 
debris and contaminants immediately prior to preparation for launch 

C-13 Provisions shall be made for in-flight servicing, adjusting, 

cleaning, removal and replacement of offending components, testing 
and repairing of all critical subsystems 9 

C-14 Wear items should be life cycle tested in a realistic environment 

C-15 All personal items should be screened for flammability and toxicity 


C-4 


C-5 


C-6 


C-7 


C-8 


C-9 


\ 
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C-16 Space Station protective enclosures shall be provided for all high 
mass/high speed rotating machinery 

C-17 Active/passive compartmentatlon should be provided to contain and/or 
prevent flre/exploslon/depressurlzatlon Initiation or Impact 
propagation. Compartments should be Inspectable to support damage 
control and maintenance operations. 


CONTINGENCY CON TROL 


D-l Identified hazards should be eliminated, reduced to controlled 
hazards, or specified as residual hazards 

D-2 Provision should be made for detecting, annunciating, containing/ 
confirming, controlling and restoring to a safe condition emergencies 
such as fire, toxic contamination, depressurization, structural 
damage, etc. The tools, tasks, spares, workspace, storage volumes 
necessary for these provisions shall be included in space station 
design panning 

D-3 For those malfunctions and/or hazards which may result in time- 
critical emergencies, provision should be made for the automatic 
switching to a safe mode of operation and for caution and warning of 
personnel 

D-4 The capability snould be provided on the space station for the 
detection of malfunctions and/or hazards, tracing to the failed 
replaceable unit and the display of information to the crew necessary 
for corrective action 

D-5 Provisions should be made for the crew to ascertain the hazard status 
of any habitable module external to the inhabited module and to 
mitigate or control remotely those hazards which would preclude safe 
entry to the module in question 

D-6 The crew must be able to override any automatic safing or switchover 
capability. All overrides should be two-step operations with 
positive feedback to the initiator, which report Impending results of 
the override command, prior to the acceptance of an execute command 

D-7 Windows should be provided in the space station to enable adequate 
visibility to accomplish safe docking operations with the orbiter or 
other vehicles. Additional windows will be necessary to monitor EVA 
operations, logistic resupply operations and to support photographic 
requirements. Transmission through the windows should be such as to 
protect the crew from harmful UV and IR radiation. Thermal flux from 

the windows should be controlled to prevent excessive heat from the 
crewman s face and head 

D-8 An independent self-contained Illumination system should be provided 
that will be automatically activated In the event of a major primary 
power failure or main lighting circuit malfunction resulting in 
circuit breaker interruption 

D-9 Materials and components subject to insidious degradation in the 
Space Station Ionizing radiation environment shall not be used where 
that degradation can cause or contribute to a crew hazard 
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D-10 Provisions shall be made for safe disposal of the Space Station or 

Sbe^ 1 JJ a Se P p a u r b t 11c here ° f W,th ° Ut dan96r t0 f1l9ht or 9round cre *- 
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E “* fm1i r i^ e w1th U l’l sJafs^n*" *!?* w' 11 "'ss'on segment crew Is 
I!lTi]I a r ' Station Operations and Maintenance as concerns 

exDerimIntc bS nH/ em and 2 * Procedures necessary to render SAFE all 
experiments and/or user-processes 

E ~ 5 Sin! 0109 c r i , ter ! a ? hould Include assessment of attitudes, physical 

ss^*s?^s? i sii?fi y n ?o d i£c^ s 3??i^u:ns3'Tgg nity to ,unction 


84 


Appendix D 
SPACE STATION 

CREW SAFETY DESIGN GUIDELINES 


These design guidelines were eclectically assembled 

eSy a^S S Thn! sta A io , n 4 studies ^ginning as 
VL S 968 V Those sidelines that were relevant 

forward C ^ en not SP ?S e H S l a V! 0n stud1es were carried 
rorwara, if not in detail, at least in intent 

, t - 1rea ' ts under Contract NASI -17242 
evolved additional guidelines that are Included. 


21 February 1984 
Rockwell International 
Space Transportation and 
Systems Group 
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SPACE STATION S AFETY GU IDELINES 


Design Guidelines Acronyms 


AOM ■ Attitude /Orbit Maintenance Systems 

C«W = Caution and Warning Systems 

CME = Crew Messing Equipment 

COM = Communication Equipment 

CPH = Cargo/Payload Handling Systems 

CSE ■ Crew Safety Equipment 

CWS * Crew Water Systems 

DPS * Data Processing Systems 

DUS * Docking/Undocking Systems 

ECS = Environment Control System 

EPD s Electrical Power Distribution Systems 

EPG » Electrical Power Generating Equipment 

FSE s Fluid System Equipment 

HMS * Health Maintenance Systems 

IFM ® In-Flight Maintenance . 

INT * Integration, two or more systems involved 

E : Equipment 

OPS a Operations 

RSD * Radiation Shielding Devices 
STR ■ Structural Systems 
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SPACE STATION CANDIDATE SAFETY DESIGN GUIDELINES 

DG-INT-OOI. Normally habitable compartments of more than 25 cubic meters 
(880 cubic feet) In volume shall have two or more exits Into areas which 
provide for personnel survival. These exits shall be at least 3 meters 
(10 feet) apart. 

DG-INT-002. Flammable, explosive or gas generating material shall be 
located r.o that the energy content which can be propagated at any one location 
shall not result In overpressurization of the compartment from heat and gas 
production. 

DG-INT-Q03. Flammable, explosive or gas generating material within 
3 meters (10 feet) of the entrance to compartments with only one entry /egress 
path shall be limited so that the energy content, If released, will not result 
In damage of an environment which prevents shirtsleeve access through the 
entrance. 


DG-INT-004. T wo • * more entrances Into normally habitable compartments 
cf more than 25 cub> meters (880 cubic feet) in volume shall be shirtsleeve 
accessible from each of the other normally Inhabited compartments. These 
entrances shall be at least 3 meters (10 feet) apart. 


DG-INT-005. Where only one shirtsleeve Ingress/egress path Is provided 
Into a compartment or module, redundant means shall be available for opening 
the connecting hatch (es) from either side. 

DG-INT-006. Capability shall be provided to depressurize adjacent 
volumes before undocking. 


DG-ECS-007. Capacity shall be provided to reduce the pressure in each 
habitable volume, sufficiently, or Increase it in the adjoining habitable 

volumes, and to cut off air circulation, so that In an ^e^ency 

atmosphere In the affected volume will not be propagated Into a joining 
compartments. This capability shall be controlled remotely from each 

compartment. 

DG-ECS-008. Automatic venting capability shall be provided in each 

habitable volume so that in the event of a fire or release of gases within the 
volume the pressure will not exceed the structural limits of the structure or 
the capability of the seals to other volumes to exclude the contaminated 

atmosphere. 

DG-IHT-009. Double contained toxic flammable or corrosive fluid 
containers shall be provided, with means to detect leakage of the toxic 

flammable or corrosive fluid Into the volume in between the containers, and 
with means to detect penetration of the outside container. 


DG-INT-010. Capability shall be provided to detect potential tank 
failures by measurement of fluid pressures, temperatures, tank strains, or 
other means. 


DG-INT-011. The reflectance of surfaces of docking vehicles and the 
docking system that are visible to the controlling crew and TV cameras shall 
be below eye and vialcon damage levels. 
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DG-DUS-015. Redundant or replaceable video monitors shall be provided. 
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Inadvertent contact from the docking vehicle. geometry to prevent 

OG-pUS-018. The docking system shall be capable of withstanding vehicle 
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opening If opened when a pressure differential exists. 

DG-DUS-023. All docking Interface equipment shall be grounded. 

DG-DUS-l 24. At the docking ports, all electrical umblllcals shall he 
grounded until connection of the docking Interface. Ca S sna11 be 
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i backu P EVA egress/ingress hatch which can be used for 

contingency EVA shall be available. Capability for depressurization and 

repressurization of the connecting habitable volume shall be provided. 
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DG-INT-027. An emergency IVA or EVA return route shall be available for 
any planned IVA activity Independent of the normal IVA airlock route. 
Depressurization and repressurization capability shall be provided for the 
additional volumes which must be used. 

DG-CSE-028. Emergency portable life support systems shall be available 
In the airlock sufficient to sustain IVA personnel In an emergency IVA or EVA 
return from planned IVA or EVA activity. 

DG-C0M-Q29. Communication between any and all habl table/1 sol atable 
volumes on a primary and backup basis shall be provided. 

DG-EPG-03Q. Adequate venting of batteries shall be provided to prevent 
contamination, overpressure or explosion. 

DG-FSE-031. All filters, screens or other devices used to collect 

contaminants or waste products shall be designed so they can be easily 

serviced or replaced without releasing contaminants Into the atmosphere. 

DG-CAW-032. An audible and visual alarm shall be provided to warn the 
crew of habitable volume C02 partial pressure not within the prescribed limits 
for crew safety. This alarm shall be provided both in the affected habitable 
volumes and at the command and control center! s). 

DG-EPD-033. Equipment, Including electrical wiring, that could become 

contaminated or damaged by leaking propellants shall be located to prevent 
contact with possible leakage or shall be provided with suitable protection. 

DG-INT-034. Means shall be provided for collecting and/or containing any 
loose fluids or debris that may result during replacement of system conponents. 

PG-FSE-035. Fluid systems shall have provisions for shutting off the 

flow of fluid to sections of the system or equipment which are susceptible to 
damage or leakage. 

DG-FSE-036. All orifices, close tolerance valves and 
contamination-sensitive equipment In fluid systems, shall be adequately 

protected from contamination. Futhermore, If the system is designed for 
periodic flow reversal, or a possibility exists that flow reversal can occur, 
both sides of these items shall be protected. 

DG-CME-037. Food supplies shall be stored in more than one storage 

container. 

DG-CME-038. A means for sterilizing containers where food Is stored 
shall be provided. 

DG-CME-039. Food supplies which require cooling or refrigeration shall 
be protected by a redundant capabl 1 i t y . 

DG-HMS-040. Means for controlling Insects In the space station shall be 
provided. The control method should be harmless to men and equipment. 

DG-INT-Q41. The use of mercury on-board space stations should be 

prohibited. 
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DG-ECS-042, Provision shall be made for the removal of ozone generated 
by X ray equipment or electrical arcs. 

DG-FSE-U43. The number of connectors used to connect plumbing or 

components In fluid systems should be kept to a minimum. 

DG-FSE-044. Safety requirements for all subsysteins/experlrnents/lnternal 
payloads are needed. 

DG-FSE-045. Fluids required for operation of subsystems located In 

habitable volumes shall be non-toxic, non-flammable, and non-corrosive. 

DG-INT-U46. Pressurized containers should not be installed In normally 
habitable volumes. When Installed externally to normally habitable volumes, 
shrapnel shields shall be provided to protect the normally habitable volumes. 

DG-CAW-047. Visual and audible alarm shall be provided to warn the crew 
of atmosphere contamination which exceeds the limits established for crew 
safety. This alarm shall be provided at a minimum in the affected habitable 
volume and at the command and control center(s). 

DG-C&W-Q48. Where the possibility exists that a fluid in a system could 
become contaminated, means shall be provided to detect contamination and 
provide an alarm at the command and control center(s). 

DG-CAW-049. A system shall be provided to monitor the environmental 
status of all potentially hazardous (explosive, flammable, toxic, etc.) 
materials stored on-board the space station, and display a warning signal in 
the command and control center(s) when established limits are exceeded. 

DG-C&W-050. A warning and alarm system shall be provided to alert the 
crew of atmosphere relative humidity levels which are not within prescribed 
limits, with the warning displayed at the command and control center(s). 

DG-ECS-051 . Provisions shall be made for containing, venting or 
eliminating odors and bacteria generated by waste products and other sources. 

DG-ECS-052. The composition of the space station water supply shall be 
checked at regular Intervals to ensure that contamination does not exceed 
prescribed limits. 

DG-CWS-053. A capability shall be provided for maintaining the sterility 
of on-board water supplies. 

DG-CWS-054. Water storage systems shall have provisions for isolating 
parts of the system which may have become contaminated. 

DG-CWS-055. Water supplies shall be stored in areas which will minimize 
the possibility of contamination from other space station systems. 

DG-INT-056. System components shall be designed to withstand the 
overpressure and heat pulse attendant to meteroid penetration. 

DG-ECS-057. Materials used for insulation or filler in space station 
walls shall be non-combu:tible. 
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DG-IFM-Q58. Windows shall be designed to permit replacement without 
degrading the pressure or structural Integrity of the space station. 

DG-STR-l)b9. Individual habitable volumes shall be designed to withstand 
a rapid decompression of any adjacent compartment. 

DG-STR-06Q. Space station structure shall be designed as a structural 
matrix with the capability of arresting crack and tear growth. 

DG- INi-061. Equipment located In habitable volumes shall be designed to 
create no hazard to occupants during the changing environment associated with 
rapid decompression of the space station. 

DG-MSE-062. Automatic closure of hatches between habitable volumes, when 
pressure decreases below a specified limit, should be considered as a design 
feature. 

DG-0PS-U63. Hatches between compartments should be closed except when 
required for crew transit. 

DG-C&V! -064 . A means shall i provided for visual Inspection of the hatch 
as well ,v, the warning system, a safety check to assure that hatches or 
other accesses to an area at a different pressure level have been secured 
properly. Warning system displays shall be at the hatch and at the command 
and control center (s).. 

DG-MSE-QU5. Pressure hatches providing access to an area of differential 
pressure should be of a type that becomes more positively engaged under 
pressure lot ding. 

DG-ECS-066. Hatch design should be such that loss of a hatch seal 

element will not result in a pressure leakage rate which exceeds the emergency 
recompression system capability. 

DG-INT-067. Provision should be made for an airlock in the hatch or 

hatchway between separately pressurlzable compartments. 

DG-INT-068. A leakage repair system employing techniques and equipment 
appropriate to the vacuum and gravity environment of the space station shall 
be provided as a ki table part of the damage control system. 

DG-HMS-069. Consideration should be given to providing the equipment and 
supplies necessary for general cardiopulmonary resuscitation and other 
equipment and supplies that might be required for the individualized treatment 
of residual effects of decompression. 

DG-FSE-070. All pressure relief valves shall be designed to protect 
against a regulator failed or stuck in the full open position. 

DG-FSE-071 . Plumbing systems which carry cryogenic fluids or hydrogen 
peroxide should be designed such that adequate pressure relief capability 
exists in those areas most likely to trap the fluids. Furthermore, to guard 
against the possibility that a relief valve In these systems becomes frozen 
shut or otherwise rendered inoperative, a backup pressure relief device, such 
as burst disks, should be Incorporated. 
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DG INT-0/2. All pressure systems should be designed to enable a planned 
depressurization; accurate sensors should be Incorporated to ensure that the 
pressure js totally relieved prior to opening the system should that 
requirement arise for maintenance or other reason'. 

DG-tCS-U/ j. Any pressurlzable volume that can be confined or isolated bv 

prote?tlSV f ro!f over^rJXure. 1 W * S * Sh ° Uld 1ntlude S0,ne means for automatic 

MtlI CG-FSE-U74 Pressurized gas supplies should include restrictions that 

f! ! Vlu 9< * s , flow 1n the ‘-•vent of a pressurized gas plumbing fal.ure, to 
that which can be handled by the relief valves or ventinq system. 

_ . 0G-IFM-O75. Design of space station structure and equipment. Including 

their Interfaces should be such that all portions of the pressu-e shell 
bulkheads and seals will be accessible for damage Inspection and repair This 
should apply to exterior as well as Interior space station surfaces P 

D6- IMT-076, Potentially harmful effects on the crew members of rapid 

decompression should be minimized through engineering considerations In 

compa r tme n t° ne t P vo fume td 1 ^ on atinos P here composition, pressure and habitable 

DG-STH-077. The space station shall be of sufficlert structural strength 
. sa /® '/ maintain the requlreo internal pressure within the expected launch 
and mission environment for the period of orbital stay. 


DG-IFM-078. Components which are vented to space 
replaceable without requiring cabin depressurization. 


(vacuum) shall be 


DG-IFH-079. Cabin pressure shall not be vented to space throuoh 
compartments or outlets that are used to vent fluids. P gn 

DG-ECS-Q8Q. Pressure relief devices for all pressurized volumes shall be 
vented to areas that will not endanger the crew or equipment. 

DG-ECS-Q81 . All cabin atmosphere overboard relief or "dump" valves (anv 
valve venting into space) shall be fail-safe in the closed position and should 

b ® s , e J nc * i ng when failed. Manual override or redundant manual valving 
should be provided as backup. 

DG-CSW-082. Total cabin pressure sensors shall be provided to detect 

SSi«2l"5. lerance va1 . ues of the tota1 .cabin pressure. Detection of pressure 
change at an excessive rate, or outside the desired operating range, should 
activate an alarm system to warn the crew to initiate approDriate remedial 

ThC 3 a, n n should be activated both in the affected habitable volume 

and at the command and control center(s). 

„.if pr e«ur*e warning systems shall include provisions for 

self -test and shall be self-indicating in the failed state. 

DG-EPD-084. Hire bundles shall be routed and protected as to DrecludP 

damage to the insulation through flexing or bumping. 


9 ? 


t 


to • h “V , Mr rar 

generating shorts or arcing. inadvertfi nt breatagu, which could result in 

riHrsrir^ 

^rassr pro,,de ' a « ^«*u\^«i2 rt jir!!a 
•-XfELJss rarstiKtiLiasir *■* is 

otc . , ja™ if;o z arro ec eV,:M^: u ^r s P i S5 c rf, c t rof 

•^rc^SrtSi^g " 0te " tfa ’ 


heat 


.11 ^MV^V’SS^i - ^ 0 7 de t0 “r S “ r V Pr ^ er »'» ”""«‘1on .t 
Verification should be made to ensure that^all ^Vn^ 00 °!, system power - 
destgnei. no pin-to-pin shorts exist, end that n*.'J in-w-s'heTfVhorts Slit. “ 


t.esic D spic N e1t«ion*" eq “ ipn,ent *" d sul ’ st '' ucture snail 


be grounded to the 


differences'betweeif drcking S spacecraft Pr ° V * ded t0 eqUa,i “ 6,ectr1c 
.*i£Mi bfpr t o, P ided?°" er distrtl)ut, °" P«"* to essentia, electrical 
for cr1tlMl 0 l 5 ie C tHr» O i rS Sha11 be provided t0 detect out-of-tolerance values 

*«■ Multiple or redundant primary electrical power sources shall 

of 4 equipment 0 wh ich"* 1 l^s ^unabfe ll 
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DG-EPD-098. Redundant electrical circuits for items critical to crew 
safety should not be included in the same wire bundle. 

DG-EPD-U99. Power distribution lines should be routed in such a manner 
that any damage resulting from fire, caused by a fault in the distribution 
system, will have a minimal effect on other power distribution wires in the 
vicinity. 

DG-0PS-1Q0. Procedures should be established and means provided the crew 
for controlling and/or eliminating contamination that is in excess of the ECS 
capability to control on a timely basis. 

DG-ECS-1 01 . Redundant C02 removal equipment wich capability of manual 
override of automatic operation should be provided to ensure a continuous 
capability to keep the C02 partial pressure witnin allowable limits. 

DG-ECS-1 02. The amount of toxic or potentially toxic materials (such as 
materials or chemicals utilized in experiments) on-board the space station 
should be limited such that accidental release of the totil quantity of the 
material will not produce contamination above the capability of the 
environmental control system to remove on a timely basis. 

DG-HMS-1 03. Threshold Limit Values (TLY's) of contaminants for long term 
human exposure should be established for space station environments. 

DG-0PS-1 04. Strict configuration control procedures should be 
established over all materials incorporated in or brought on-board he 

spacecraft. 

DG-0PS-105. The original orbital flight path selection and changes 

required by station-keeping during the mission should be such that the 
probability of collision with man-made debris or other spacecraft is 
sufficiently low to provide adequate confidence in orbit selection and program 
decision to proceed. 

DG-CPH-1 06. All bulk cargo should be properly tethered or otherwise 

controlled during zero-gravity or partial gravity operations. 

DG-0PS-107. Procedures and equipment should be available for use in 

event of death of a crew member. 

DG-HMS-1 08. Procedures and equipment should be provided for the 

preservation or disposal of the remains of deceased experimental plants or 
animals. 

DG-OPS-1 09. The program of selection, training, mission support, 
physical conditioning, daily activities, and recreation should insure that 
crew members remain confident in the mission and their roles in it. 

DG-HMS-1 10. Procedures and eon.pment should be provided for restraint 

and control of irrational crew members. 

DG-HMS-1 1 1 . Unauthorized personnel should be restricted from using 

radiation-producing equipment or handling and using on-board radioisotopes. 
Consider the installation of coproprlate caution signs and/or other means of 
warning, featuring visible or audible signals. 
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DG-HMS-1 1 2 . Safe procedures should be established for the disposal of 
radioactive waste or radiation-contaminated material. The procedures should 
also include the actions necessary for the disposal of a spent or failed 
nuclear power reactor. 

DG-HMS-1 1 3. On-board handling and use of radioactive material or 
radiation-producing equipment snould conform or be consistent with established 
NASA and Nuclear Regulatory Commission policy and procedures for radiation 
protection standards. 

DG-HMS-1 14. Positive protective measures should be taken to prevent 
accidental exposure to personnel from RF or X-radiation. 

DG-EPG-115. Nuclear powered electrical power sources should be located 
and shielded to protect crew members from accumulating excessive radiation 
dosage. 

DG-HMS-1 16. Crew location during the nuclear power unit activation 
should be restricted to refuge areas affording high protective shielding, 
until radiation levels have been checked in all habitable areas within the 
space station and have been found to be within acceptable limits. 

DG-NUC-117. Space station install ed/residing active nuclear reactor 
shall provide fail -operational /fail-safe measures for emergency shutdown of a 
reactor and provide alternate methods of reactor neat dissipation in event of 
failure of the primary cooling system. 

DG-RSD-118. The space station radiation protection provisions shall be 
consistent with the orbital flight path type, orbital height, and inclination 
selected. 

DG-CPH-119. Space station design and layout should make maximum use of 
any on-board mass as radiation shielding. 

DG-RSD-120. Protection of the space station crew against the effects of 
a nuclear device explosion in space that releases radiation into the space 
station's orbital path should be considered. 

DG-C4W-1 21 . The location and characteristics of the radiation detectors 
should be consistent with the expected radiation environment. 

DG-INT-1 22. Radiation effects upon space station electronic materials, 
microelectronic circuit elements, electrical systems, metals, ceramics, 
polymers, and other organic and inorganic materials should be thoroughly 
investigated for radiation-induced transient and permanent effects in terms of 
false signals, degradation, catastrophic failures, and contamination. 

DG-OPS-123. In low-inclination (up to 60 degrees), low altitude orbits, 
Extra-Yehicular Activity should not be scheduled while the space station is 
passing through the South Atlantic Anomaly. For polar orbit, the same 
guideline applies. In addition, the occurrence of a solar event should 
require that EVA be avoided. 
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DG-OPS-1 24. A mission radiation control program should be Instituted to 
* 00 f x ? osure , 11mits * Procedures, design criteria, and 
Sf SfbftJl lt^ S COns1stent w1th the ex P ected mission environment and period 

DG-HMS-1 25. A cumulative radiation exposure record should be keot on 
each crew member, and personnel whn have reached the limit of safe raaiation 
exposure should be returned to earth without delay. raaiation 

. , 26 Provision should be made in the space station for a 

designated shelter that would serve as a haven for radiation protection 
against possible high-intensity radiation events. This shelter should contain 
the necessary life support equipment and provisions consistent with the 
maximum expected stay time for the particular mission profile. 

s P ace . Nation radiation monitoring, including cumulative 
radiation level records, should be maintained to ensure the precise 

and P rovide c ]® ar notification of radiation conditions, and 
warning of possible over-irradiation of the space station. 

• The . space station detection system should continuously 
dCC^ffor the mTs^Ton exterior Nation levels and record the accumulated 


DG-RSD-129. Additional protection for crew members performing EVA in the 
proximity of a nuclear power source should be provided. 


DG-INT-1 30. Precautions should be taken in the selection of spacecraft 
materials to ensure that the materials will not support induced radiation. 


DG-OPS-131. Maintenance procedures 
into account the possible high operating 
possibility of release of contaminants. 


for C02 control equipment should take 
temperatures of the equipment and the 


DG-OPS-1 32. The storage and disposal of combustible waste materials 
should be suen that a fire hazard or traffic obstruction is not created. 

DG-INT-1 33. Flame arrestors should be provided in all ducting throuqh 
which flame could propagate. 3 

DG-INT-1 34. Cryogenic piping systems should provide for both automatic 
and manual emergency shutoff. 


DG-EPG-1 35. Adequate cooling capability should be providec to prevent 
overheating of electrical power sources even during worst-case conditions. 

DG-1NT-136. Power generating and distribution equipment which Is a 

station 3 source shou ^ d be located in unpressurized areas in the space 


DG-INT-1 37. Fire control equipment and/or methods should be provided 
manual ty controlled*** 0 * 1 ly Vitiated, or are readily accessiole and can be 
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DG-INT-1 38. Electrical insulation should 
self-extinguishing in the tpace station atmosphere. 


P®. as a minimum, 


DG-INT-1 39. Power equipment racks and cables should be as resistant to 

o^onslhoi?!* £5%Z eq “' P * ent “ SUa ' t, ““ te/da "“9 e 

DG-INT-140. All fluid lines should be adequately protected from freezina 
due to proximity to cryogenics, or exposure to black space. 9 

chn..i5 G hl NT " 14 !^ He . a A‘ ,ng ® len,en t s which must be exposed to the atmosphere 
should be provided with a device to prevent the propagation of flame. 

h* °5: CAW : 1 t 2 - Ar ® as wbere radioactive materials are used or stored should 

rartwtflf? f ° r radioactl u v , e . contamination, and suitable warnings provided if 
radioactivity exceeds established limits. uv.ueu 

Com P° nen , ts wh1ch could generate excessive heat due to 
Jf° uld h be automatically monitored for temperature increase and sealed 
from the atmosphere. An overheat warning signal should be provided. 

• The amounts of hypergolic, pyrophoric or other eaciiv 

ignitable materials on board the space station should be restricted to the 

anduse. " eCeSsary - a " d dldsd d e exercised e,er t"elr hand,“g 

DG-INT-145. Potential ignition sources, such as lighted ciaarette*; nr 
compartment ’ of * the soac^ J£V be pe !^ itted . within the pressurized inhabited 

insSre^.5 a 0f fi“Vz P ard^ U\ present. 5 n8,(l C<,ntr01 be exerc,sed td 

firec DG rfic^l, 46 ; hrt \i absen . c / of ox ^9 en is utilized as a means of preventing 
atmosphere 9 " prov ' ,de that no sin 9 le failure could produce an oxygen 

and oxidizers? 7 * Passa9eways should be ke P t free of all combustible materials 

DG-MSE-1 48. Lubricants used in mechanical components which are essential 
for survival should be capable of withstanding extreme temperatures. 

DG-ECS-149. A capability for manually controlling operation of eauioment 
used for cabin and equipment temperature control should be considered. 

nrpriH5l EP hI 15 °H Current 1 tl ng devices or techniques should be used to 

accidental ^ de-actl r ^be * resistant 3 to inadvertent 1 or 

eqXynt U ' ' ,pr0Vi ^ cu ^ nt source^nd 
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DG-FSE-1 52. Propellant supply system equipment and plumbing which uses 
toxic or potentially flammable fluids should be located In uninhabited areas. 

DG-INT-1 53. Equipment which has a critical temperature requirement 

should be protected oy redundant or alternate temperature control capability. 

DG-INT-1 54. Materials which are capable of self-propagation of fire 
should not be on-board the space station in sufficient quantities or 
concentrations that ignition would result in a hazardous condition. 

DG-ECS-1 55. Valves for oxygen systems of 3000 PSI or higher should be 
slow opening and closing to minimize the possibility of ignition of 
contaminants. 

DG-ECS-1 56. Space station thermal protection provisions should be 

consistent with the orbital flight path, orbital height, and inclination 

col m 


DG-ECS-1 57. Thermal control equipment whose operation is critical to 
crew safety should have redundancy provided. 

DG-ECS-1 58. Temperature sensors should be provided at critical points in 
thermal control systems to detect out-of-tolerance temperatures. Detection of 
temperatures which deviate from the normal range should activate an alarm 
system to warn the crew of the need for remedial action. 

DG-INT-1 5f. Procedures should be established and design safeguards 

provided that will preclude operation of tnrusters when it might endanger crew 
members involved in EVA. 

DG-A0M-160. Sensors should be provided to monitor the temperature of 
attitude control thruster assemblies. The sensors should activate visual 
and/or audible alarm at the command and control -enter! s). 

DG-A0M-161. Angular rates of the space station should be continuously 
monitored during attitude change maneuvers. Detection of excessive angular 
rates should result in automatic/controlled shutdown of operating thrusters. 

DG-A0M-162. An automatic system for controlling thrusters to restore a 
tumbling space station's stability should be provided,, 

DG-A0M-1 63. Redundancy should be provided for all components that are 
located outside pressurized inhabited areas and failure of which could result 
in a loss of attitude control. 

DG-AOM-164. The attitude maintenance system should have the capability 
to counteract the undesired motion imparted by fluid escaping through a hole 
In a compartment or pressure vessel. 

DG-A0M-165. Interlocks should be provided to prevent simultaneous manual 
and automatic operation of the attitude control system. 

DG-AOM-165. A means for stopping propellant flow to failed OPEN 
thrusters should be provided. 
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DG-INT-167. Outlets should be designed so that fluids being vented 
overboard do not Impose any torque on the spacecraft. 

DG-FSE-168. Propellants should be stored in more than one tank or other 
storage device. 

DG-INT-169. Accessways between and within compartments should be sized 
In such a manner that an IVA-suited crew member will be allowed to access to 
normally used areas. 

DG-STR-1 70. Hatches snould be capable of being operated from either side 
and at least two methods for operating the hatches should be provided. 

DG-ECS-171. Space station airlocks should have redundant pressurization 
capability. 

OG-IMT-1 72. An alternate command and control center should be provided 
in tha space station, possibly within the crew refuge area, to ensure 
continuation of a minimum number of functions which aw . 

and crew life support, in the event the primary command and control center is 
rendered incapable of providing these functions. 

DG-INT-173. Capability should be provided to allow entry into a 
compartment, where fire or other emergency exists, to effect rescue of 
incapacitated crew members or to combat a fire. The means of entry and the 
procedures involved should assure that the emergency does not escalate or 
spread to other locations in the space station. 

DG-OPS-1 74. Mission rules should Include the requirement ; that control 
center "authority to proceed" be obtained inrnediatel'/ prior to the initiation 
(bv anv crewmember) of any activity which is hazardous either by itself, or 
when *^erf orned" i n conjunction with other hate activities being conducted 

simultaneously. 

DG-C4W-175. Closed circuit television system with strategically located 
cameras should provide command and control center operators ) real-time visual 
information on hazardous activities/operations.. 

DG-OP* 176. Simultaneous occupancy (other than momentary) by the space 
station con... ier and his deputy, of those compartments or J ocfions whi ch are 
judged to have the highest safety risk probability, should be minimized. 

DG-COM-177. Equipment in the space station for externa] voice and data 
communications should have as much commonality as practicable with t 
equipment used in the logistics vehicles and earth-return vehicles. 

DG-AOM-178. Continuous indication of space station attitude or attitude 
changes should be provided to the command and control center(s). 

DG-OPS-179. Crew activity should be restricted during transfer of 
volatile, flammable, or explosive materials either between do ^® d spacecraft, 
the loalstlcs vehicle, or within the space station. These restrictions s h® u i d 
apply 9 to the use of high voltage equipment, conduct of high temperature 
experiments, or other activity which would Involve a potential source of 
ignition in the Immediate neighborhood of the material transfer route. 
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DG'OPS-IBU. The numoer of crew members In any compartment at one time 
should be held to a minimum necessary to perform the required functions. 

DG-QPS-1 81 . Crew members should be restricted from movement about the 
station other than within specified and assigned areas. 

DG-INT-182. The areas In which the crew spends most of Its time 
(staterooms, dining facilities, personal hygiene areas, exercise and 
recreation areas) should be designed as the safest parts of the space station. 

DG-CAW-183. Critical visual /audible CAW alarms should be displayed In 
all Inhabited compartments. 

DG-COM-184. An Independent emergency communications system should be 
provided for directing and controlling operational activities In emergency 
situations. 

DG-OPS-185. A sufficient number of logistics and/or fescue vehicles 
should be docked to the space station at all times to accomodate every 
on-board crew member in the event that emergency evacuation is required. 

DG-COM-186. Independent emergency communications should be provided to 
assist EVA personnel In performing their tasks or to facilitate rescue of EVA 
personnel . 

DG-EPD-187. Emergency lighting system should be provided to assist EVA 
personnel in performing their task or to facilitate rescue of EVA personnel. 

DG-OPS-188. Periodic drills for all personnel should be devised, and 
conducted in response to unscheduled simulated emergencies, so that crew 
proficiency is maintained in emergency procedures. 

DG-OPS-189. "i'ire Resistant" areas should be established to provide 
haven from fire. Emergency procedures should be established to identify sucii 
things as optimum routes to haven from any area, and all personnel should be 
trained in these procedures. 

DG-0PS-190. Procedures should be established and training provided to 
the crew which will enable them to cope with any foreseeable contingency that 
might arise during EVA. 

DG-CAW-191. An adequate fire warning system should be provided. The 
warning should be activated by smoke or fumes, as well as heat, and should 
warn the entire space station. The precise location of the fire should be 
provided to the command and control center(s). All segments of the warning 
system should be resistant to temperature extremes, decompression/overpressure 
or shock and should be self-indicating when failed. 

DG-FSE-192. A means for monitoring fluid quantity usage should be 
provided to permit the crew to detect excessive consumption rates and low 
remaining supply levels. 

DG-CAW-1 93. The commencement, behavior, and completion of all remote 
hazardous resupply operations (pressurized liquid or gas resupply) should be 
positively indicated at the command and control center(s). 
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DG-OPS-1 94 Overall healtn and safety responsibilities should be 
assigned to specific members of the crew with alternates. 

nr nPS-lQS Procedures should include the provisions for abort for all 
1 „cJSr»eMcles TX .» on->o»r< urgency „Mch *»uld Jeop a .d,ze the 
space station. 

DG-EPG-196. An emergency power source which Is completely Independent of 
the primary power source should be provided. 

□G-OPS-l 97. An Initial advanced manning team should check habitability 
of the space station prior to duty crew manning. 

DG-COM-1 98. A visual warning should be provided to the command center(s) 
when any link of the space station communication system fails. 

DG-COM-1 99 At least one intercommunications station should be pro 'l id Kl! 
for each separately pressurizable space station compartment that can be 

occupied by the crew. 

DG-INT-200. The maintenance equipment, procedures and skills required to 
completely analyze and Isolate component failures and accomplish the 
replacement or repair should be provided. 

DG-C&W-201 Critical subsystems of docked transient vehicles should be 
conti nuouslymoni to red in the space station comnand and control center(s), 
with appropriate warnings for out-of-tolerance conditions. 

DG-0PS-202. All EYA and IVA suited activities shall be 
monitored by a suited crew member who is in a position to provide imme 

assistance. 

nr,-OP<U2Q3 A oeriodic, two-way communications check should be made by 

Sfcift * sss 

station emergency procedures. 

0G-0PS-204. Armable subsystems that comprise the space stationandits 
docked vehicles should be armed only when they are to be used and Immediately 
disarmed when their function is no longer required. 

DG-INT-205. The pressurized compartments of a space station should have 

crew U9 f reedonf of 1 movement biological environment 

that is commensurate with their orbital stay duration. 

DG-C&W-206. Leak detectors should be provided for propellant handling 
equipment located in unpressurized areas of the space station, me detec 
should activate an alarm at the coranand and control center(s). 

DG-INT-207. Replacement components should be designed so that It Is 
impossible to Inadvertently Install the component incorrectly. 

DG-INT-708. Uni versa 1 ly sized, minimum time to don or pi rce, survival 
devices should be made available to the crew. 
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DG-INT-209. All switches should be designed and located so that the 

possibility of Inadvertent activation or Improper selection Is minimized. 

DG-MSE-210. Design of mechanisms shall minimize the number of moving 

parts or other maintenance task generators. 

DG-FSE-211 . Small clearances In fluid system should be avoided where 

fluid entrained particulants could cause binding or jamming of system 
components. 

DG-STR-212. Hatch design shall avoid seal abrading In normal operation. 

DG-STR-213. Provisions shall be made for moisture removal between 

transparency panes. 
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APPEND I X-E 
SPACE STATION 
RELIABILITY REQUIREMENTS 
(Assumed) 


Redundancy 

i All subsystems shall be designed to be fall operational /fal i safe 

restorable as a minimum (except primary structure and pressure vessels) 
during all operational phases except during assembly and during 
scheduled/unscheduled maintenance/repair. During assembly and during 
scnedul ed/unschedul ed maintendnce/repdir, all subsystems shall be 
designed to be fail safe as a minimum. 

? Critical functions (l.e., those related to crew safety or space station 
permanence) shall have backup or workaround modes. 

3. Redundant functional paths or subsystems shall be designed so tha- their 
operational status can be verified without removal of ORU s. in 
addition, these redundant functional paths of subsystem shall be 
designed so that their operational status can be verified in flight to 
the maximum extent possible. As a minimum, these chall provide 
capability for redundancy management in the event of a malfunction of a 
functional path and shall provide information to the crew regarding 
redundancy status of the affected system sufficient to determine if a 
failure occurred. Critical redundant items whose failure cannot be 
detected during flight shall be identified in the individual space 
station critical items list. Redundancies within a functional pat.' 
shall be so designed that their operational status can be verified prior 
to each installation into the vehicle. 

4. Alternate or redundant means of performing a critical function shall be 
physically separated or protected at least to the extent of separating 
the first means from the alternate means, such that an event " h j. c „ 
causes the loss of one means from the alternate means, such that an 
event which causes the loss of one means of performing the function will 
not result in the loss of alternate or redundant means. 

5. Redundant components susceptible to contamination or environmental 
failure causes such as shock, vibration, acceleration or neat loads 
shall be physically oriented or separated to reduce the chance oi 
multiple failure from the same cause(s). 


6 . 


7. 


8. 


Repair, service, or checkout of a functional path, including 
deactivation, shall not degrade the specified redundancy level. 


For reliability design purposes, a redundant path deactivation for 
maintenance or repair shall be considered a failure. 


Redundant equipment, lines, cables, and utility runs which are critical 
for safety of personnel or continued facility operation shall be routed 
in separate compartments (l.e., separated by a structural wall ;[ or H 
protected against fire, smoke, contamination, overpressurization, and 

shrapnel . 
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9. For systems/subsystems using redundant or alternate functional paths . 
the following requirements apply. 

a. Redundant paths shall be electrically and physically separated to 
the extent chat an event that causes the loss of one means will not 
cause the loss of an alternate or redundant means, 

b. Notification of loss of redundacy shall be automatically provided 
to the crew via caution and warning alert signals. 

10. Isolation of anomalies or critical functions shall be provided such that 
a faulty subsystem element can be deactivated either automatically or 
manually without disrupting or Interrupting alternate or redundant 
functional paths. Capability to faul 1-1 sol ate to the line replaceable 
unit or group of units without disconnections or use of carry-on 
equipment, shall be provided. 

11. System hardware shall be designed to minimize the use of special tools 
and equipment for maintenance or repair. If special tools are required, 
and have been authorized, they shall have a life of 10 years min 4 mum. 

12. The operational design life goal shall be a minimum of 10 years with 
scheduled maintenance limited to calibration and to replacment of 
consumables and hardware whose life is limited hy wear or aping. 


Avionics 

13. All avionics systems/subsystems shall be designed such that any two 
nonslmultaneous failures (allowing sufficient time for automatic 
reconfiguration or reconfiguration by the crew) can be detected, 
Isolated, and repairs accomplished without the loss of a mission or 
compromising system safety. 

14. Space station avionics and subsystem electrical components shall meet 
all the safety and performance requirements when exposed to the 
as-installed electromagnetic environment from all sources. 

15. All electronics containing high density Integrated circuitry shall 
survive repetitive single event state changes caused by ionizing 
radiation environments of the space station. 


Mechanical 

16. Primary structures shall be designed to preclude failure by adequate 
safety factors and relief provisions. Pressure vessels shall also use 
design safety factors and relief provisions as well as being built to 
leak rather than explode. 

17. Provisions shall be made for arming explosive devices as near to the 
time of expected use as Is feasible. Provisions shall be made to 
promptly disarm explosive devices when no longer needed. 
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Definition 


» 


Fall -Operational - The ability tc sustain a failure and retain full 

operational capability for mission continuation. , nit 

Fall -Safe - The ability 10 sustain a failure and retain the capability 
to successfully terminate tne mission. Tc,* OSE, the ability to sustain 
a failure without causing loss of vei'l nos system(s) or loss of 
personnel capability. 


Additional definition of terms: 
Mission T enninat 1 on - 


a. 


b. 


c. 


For equipment operating in space away i. "" but using the space 
station as Its base is safe .oturn of crew and vehicle to the 

space station. , . . . 

For the space station is the establishment of safe haven mode 
of operation for crew and station. 

For space station end-of-llfe is the sate removal of the crew 
and safe disposal of the space station. 


Restorable i: the ability to repair-replace a .ailed system or sj-cem 
element prior to the start of a catastrophic sequence of events. 
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